FIDO is supported, which is cred phishing resistant - but Oauth permissions phishing obviously can't be prevented if it's all 'legitimate' traffic to a bad app.